| From: | Ron Johnson <ronljohnsonjr(at)gmail(dot)com> |
|---|---|
| To: | Pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Guidance on user deletion |
| Date: | 2024-05-11 03:55:16 |
| Message-ID: | CANzqJaA3d-QADYBWWA7uP9=LsbkC8+4uM3MHoZOCFHnpLwz=6Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Fri, May 10, 2024 at 2:37 PM Wetmore, Matthew (CTR) <
Matthew(dot)Wetmore(at)evernorth(dot)com> wrote:
> Corporate env.
>
>
>
> I’ve searched for an official BestPractice on user deletion (leave
> company), but can’t find anything that is official-ish.
>
>
>
> Two options:
>
>
>
> 1. Change user psswd to nonsense, then expire account.
> 2. DROP user.
>
>
>
> There are +/- to both.
>
>
>
> I prefer #1, as it gives the exact timestamp of expire (protects company
> and ex-employee), but corporate auditors disagree.
>
>
>
> What do you do? Any official guidance on this?
>
The five account systems I've had experience with (OpenVMS, Linux, Active
Directory, SQL Server, Postgresql) all have the ability to expire users,
and to unexpire them if the person ever returns. (That happened to me; my
AD account was still there; they just reactivated it...)
In *every* audit that I've gone through (and I go through them *every
year* because
of PCI) the auditors are perfectly happy to see that accounts are
disabled. Occasionally they ask to see the log entry generated when one
tries to log into Postgresql with an expired account.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Achilleas Mantzios | 2024-05-11 08:24:36 | Re: PostgreSQL on netapp AFF C250A storage ? |
| Previous Message | Keith Fiske | 2024-05-10 19:20:52 | Re: Adding future partition causes deadlock??? |